This topic contains the following sections.
Container Registry Support
GitHub Container Registry integrations support:
- Registry notification - scans occur for each image push
- On-demand scans via the API
Integration Setup Overview
Integration setup consists of the following steps:
- Create a container registry integration in the Lacework Console
- (With notifications) Add a webhook in GitHub for registry notification
(Without notifications) Set up image assessment through the Lacework API
- Whitelist Lacework Outbound IPs
Create a GitHub Container Registry Integration in Lacework
- Log in to the Lacework Console with an account with admin permissions.
- Navigate to Settings > Integrations > Container Registries.
- Click + Create New.
- From the Registry Type drop-down, select GitHub Container Registry and click Next.
- Complete the required settings.
- (Optional) Subscribe to registry notifications by selecting Subscribe to Registry Notifications.
The integration status displays Integration Successful only after its first assessment completes.
|Registry Type||Specify the registry type from the drop-down, in this case, select GitHub Container Registry.|
|Name||Specify a unique name for the container registry in the Lacework Console.|
|Username||Specify a user that has permissions to pull the images (that will be assessed) from the container registry.|
|Password||Specify the GitHub token. To generate a new token, go to your organization and navigate to Settings > Developer settings > Personal access tokens > Generate new token. The required permission is read:packages.|
|SSL||Select the checkbox if the registry uses SSL. You can use either a valid SSL certificate issued by a trusted Certificate Authority (CA) or a self-signed certificate. If this is unselected, you are using an unencrypted communication channel.|
|Registry Domain||Specify a domain using one of these formats: YourIP:YourPort or YourDomain:YourPort|
|Limit by Tag (optional)||If you do not want to assess all images in this registry, specify text from an image tag so that only images with matching tag text will be assessed. To change which images you want to assess, update this field so the change is captured during the next polling period. If you specify tag and label limits, they function as an AND. Supported field input:
|Limit by Label (optional)||If you do not want to assess all images in this registry, specify text from an image label so that only images with matching label text will be assessed. To change which images you want to assess, update this field so the change is captured during the next polling period. If you specify tag and label limits, they function as an AND. Supported field input:
Lacework can receive notifications that the registry sends in response to events that happen within the registry. When Lacework receives manifest push notifications, Lacework performs an assessment.
When the integration subscribes to notifications, you must add a webhook to include the additional information provided by Lacework.
When you create/edit the integration, the following additional information is available:
- Authorization Token - an integration-specific, long running server token.
The URL and token are available on the Container Registry page. Click the integration name and copy both items from the details pane. The information is required in the next section.
Each integration can have one token. If the integration unsubscribes from notifications and then subscribes again, Lacework uses the same token.
Add a Webhook to GitHub
If you subscribed to notifications, you must add a webhook to your organization and then add the notification listener URL and authorization token.
- In GitHub, navigate to the organization where you want to add a webhook.
NOTE: You must use an organization webhook. Repository webhooks cannot be used.
- Select Webhooks.
- Click Add webhook.
- For Payload URL, paste the integration's URL from the Lacework Console, such as:
- For Content type, select application/json.
- For Secret, paste the integration's authorization token.
- For Which events would you like to trigger this webhook?, choose Let me select individual events.
Then select Package v2s from the list of events.
- Select Active.
- Click Add webhook.
Set Up Image Assessment Through the API
If you did not subscribe to notifications, you can, for example, make an API call each time an image is built so that Lacework assesses it.
For information about setting up container image assessment, see the Vulnerability API section in the Lacework API documentation.
Whitelist Lacework Outbound IPs
You must whitelist the following Lacework outbound IPs if you want to allow Lacework to communicate with your servers.
184.108.40.206 220.127.116.11 18.104.22.168 22.214.171.124 126.96.36.199 188.8.131.52 184.108.40.206 220.127.116.11 18.104.22.168